Community Forums › Forums › Archived Forums › General Discussion › Stopping Attempted Wp-Logins
- This topic has 6 replies, 6 voices, and was last updated 9 years, 11 months ago by crabbydigital.
April 12, 2013 at 5:28 pm #35106crabbydigitalMember
Does anyone have any advice or best practices on how to combat, stop, or prevent hackers from attempting to login to the wp-admin area? I am seeing a large rise in the number of attempts to my sites as well as my client's sites.
I have done about as much as I can think of to try and prevent these kinds of problems including using security plugins (Better WP Security), ensuring there is no admin user, and setting IPs to be blocked after so many failed login attempts.
I guess I could just change login pages (wp-admin, login, etc) using the plugin noted above but that really scares me thinking of all the other stuff that could break.
What other ideas on how to prevent this junk am I missing?
Thanks so much!April 12, 2013 at 6:01 pm #35109wp guyMember
I use Better WP Security with no issues and seems to work since I got emailed reports when IPs get locked out. Happens often which is scary.April 12, 2013 at 6:29 pm #35111Bill MurrayMember
Brute force attacks on WP are currently a big news item, but in many ways they are being made into a big news item by companies that are selling security solutions. Matt Mullenweg posted the same thing earlier today.
Security plugins in general will have a very bad performance impact on your site. They are attempting to do something in PHP that needs to be done BEFORE PHP is executed. The first thing you should do is check to see if you can add a plugin from within the WP dashboard. If you can, your site is inherently insecure. The web server user that runs WP should not have write access to wp-content, but it needs that access if you can install plugins via the dashboard. If your installation is configured that way, you've opened the biggest security hole you can at the starting gate.
Further, using a security plugin to block IP's doesn't really solve all problems. A swarm of bad actors can hit your site, all of which might be blocked by your PHP-based security plugin, but the swarm might be an effective DoS attack that brings your site to its knees. You need to do blocking at the server level to stop that.
You also need to make sure users don't publicly display their user name because that gives an attacker 1/2 of the information he needs at the beginning.
Web: https://wpperform.com or Twitter: @wpperform
We do managed WordPress hosting.April 12, 2013 at 7:42 pm #35126Brad DaltonParticipant
Limit login attempts or Wordfence plugin which also includes this feature.
Code Poet have an excellent Security guide for download http://build.codepoet.com/2012/07/10/locking-down-wordpress/
April 13, 2013 at 6:36 am #35206NomadMember
If you or/and your client are functioning on static ip's block the wp_admin folder in htaccess to only allow those ip's access. I try and enforce all security here first (htaccess) then move onwards to plugins as mentioned before. it can be a pain if you are trying to login from a 3g ip or a "on the road" ip but i rather quickly change this via ftp than risk being exposed.April 14, 2013 at 3:42 pm #35472Gary JonesMember
Make sure your administrator isn't called admin, administrator, root and so on.
Consider the Stealth Login Page plugin.
Don't both with IP based solutions, including Limit Logins plugin - with a botnet of 90,000 or so, it's not going to solve anything.
WordPress Engineer, and key contributor the Genesis Framework | @GaryJApril 14, 2013 at 10:22 pm #35505crabbydigitalMember
Thanks so much to all for the tips.
- The forum ‘General Discussion’ is closed to new topics and replies.